What is a side-channel attack, and how does Simple Power Analysis (SPA) recover an RSA key?
A side-channel attack reads information that leaks from the physical implementation — power consumption, timing, electromagnetic emissions, cache state, acoustic noise — rather than from the math of the cipher.
The RSA example: a textbook square-and-multiply exponentiation loops over the exponent's bits. On a "0" bit it only squares; on a "1" bit it squares and multiplies. Square and multiply consume slightly different amounts of electrical power.
for each bit b of key d:
result = result^2 mod n # squaring (always)
if b == 1:
result = result * base mod n # multiplication (only if 1)
An attacker hooks an oscilloscope to the chip's power line, sees a long sequence of power-traces, and the bit pattern of the private key falls out directly — no math required.
Other classic side channels:
- Timing — operation duration leaks data (Kocher 1996; Lucky 13 against TLS-CBC).
- Cache — Spectre/Meltdown, Flush+Reload, Prime+Probe on AES T-tables.
- EM — TEMPEST against monitors; reading laptop keys from across the room.
- Acoustic — Genkin/Shamir/Tromer extracted RSA keys from CPU coil whine.
Defenses: constant-time code (no data-dependent branches or memory accesses), blinding (randomise inputs to RSA so traces don't correlate with the key), masking (mix the secret with random values during computation), and physical shielding.
Tip: Side channels are why "the math is unbroken" is not the same as "the system is secure." Real-world AES extractions have all come from side channels, not from breaking AES itself.